cluster up support for N-1 clusters

install/templateservicebroker/previous/apiserver-template.yaml

@@ -0,0 +1,126 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  name: template-service-broker-apiserver
+parameters:
+- name: IMAGE
+  value: openshift/origin:latest
+- name: NAMESPACE
+  value: openshift-template-service-broker
+- name: LOGLEVEL
+  value: "0"
+- name: API_SERVER_CONFIG
+  value: |
+   kind: TemplateServiceBrokerConfig
+   apiVersion: config.templateservicebroker.openshift.io/v1
+   templateNamespaces:
+   - openshift
+- name: NODE_SELECTOR
+  value: "{}"
+objects:
+
+# to create the tsb server
+- apiVersion: extensions/v1beta1
+  kind: DaemonSet
+  metadata:
+    namespace: ${NAMESPACE}
+    name: apiserver
+    labels:
+      apiserver: "true"
+  spec:
+    template:
+      metadata:
+        name: apiserver
+        labels:
+          apiserver: "true"
+      spec:
+        serviceAccountName: apiserver
+        containers:
+        - name: c
+          image: ${IMAGE}
+          imagePullPolicy: IfNotPresent
+          command:
+          - "/usr/bin/openshift"
+          - "start"
+          - "template-service-broker"
+          - "--secure-port=8443"
+          - "--audit-log-path=-"
+          - "--tls-cert-file=/var/serving-cert/tls.crt"
+          - "--tls-private-key-file=/var/serving-cert/tls.key"
+          - "--loglevel=${LOGLEVEL}"
+          - "--config=/var/apiserver-config/apiserver-config.yaml"
+          ports:
+          - containerPort: 8443
+          volumeMounts:
+          - mountPath: /var/serving-cert
+            name: serving-cert
+          - mountPath: /var/apiserver-config
+            name: apiserver-config
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 8443
+              scheme: HTTPS
+        nodeSelector: "${{NODE_SELECTOR}}"
+        volumes:
+        - name: serving-cert
+          secret:
+            defaultMode: 420
+            secretName: apiserver-serving-cert
+        - name: apiserver-config
+          configMap:
+            defaultMode: 420
+            name: apiserver-config
+
+# to create the config for the TSB
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    namespace: ${NAMESPACE}
+    name: apiserver-config
+  data:
+    apiserver-config.yaml: ${API_SERVER_CONFIG}
+
+# to be able to assign powers to the process
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    namespace: ${NAMESPACE}
+    name: apiserver
+
+# to be able to expose TSB inside the cluster
+- apiVersion: v1
+  kind: Service
+  metadata:
+    namespace: ${NAMESPACE}
+    name: apiserver
+    annotations:
+      service.alpha.openshift.io/serving-cert-secret-name: apiserver-serving-cert
+  spec:
+    selector:
+      apiserver: "true"
+    ports:
+    - name: https
+      port: 443
+      targetPort: 8443
+
+# This service account will be granted permission to call the TSB.
+# The token for this SA will be provided to the service catalog for
+# use when calling the TSB.
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    namespace: ${NAMESPACE}
+    name: templateservicebroker-client
+
+# This secret will be populated with a copy of the templateservicebroker-client SA's
+# auth token.  Since this secret has a static name, it can be referenced more
+# easily than the auto-generated secret for the service account.
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    namespace: ${NAMESPACE}
+    name: templateservicebroker-client
+    annotations:
+      kubernetes.io/service-account.name: templateservicebroker-client
+  type: kubernetes.io/service-account-token

pkg/oc/bootstrap/docker/up.go

@@ -114,14 +114,27 @@ var (
 		"jenkins pipeline persistent": "examples/jenkins/jenkins-persistent-template.json",
 		"sample pipeline":             "examples/jenkins/pipeline/samplepipeline.yaml",
 	}
-	// serviceCatalogTemplateLocations are templates that will be registered in an internal namespace
-	// when the service catalog is requested
-	serviceCatalogTemplateLocations = map[string]string{
+	// internalTemplateLocations are templates that will be registered in an internal namespace
+	// when the service catalog is requested.  These templates are compatible with both vN and vN-1
+	// clusters.  If they are not, they should be moved into the internalCurrent and internalPrevious maps.
+	internalTemplateLocations = map[string]string{
 		"service catalog":                      "examples/service-catalog/service-catalog.yaml",
-		"template service broker apiserver":    "install/templateservicebroker/apiserver-template.yaml",
 		"template service broker rbac":         "install/templateservicebroker/rbac-template.yaml",
 		"template service broker registration": "install/service-catalog-broker-resources/template-service-broker-registration.yaml",
 	}
+	// internalCurrentTemplateLocations are templates that will be registered in an internal namespace
+	// when the service catalog is requested.  These templates are for the current version of openshift
+	// (vN), for when the client version matches the cluster version.
+	internalCurrentTemplateLocations = map[string]string{
+		"template service broker apiserver": "install/templateservicebroker/apiserver-template.yaml",
+	}
+	// internalPreviousTemplateLocations are templates that will be registered in an internal namespace
+	// when the service catalog is requested, these templates are for the previous version of openshift
+	// (vN-1) to provide N-1 support for older clusters from a newer client.
+	internalPreviousTemplateLocations = map[string]string{
+		"template service broker apiserver": "install/templateservicebroker/previous/apiserver-template.yaml",
+	}
+
 	// loggingTemplateLocations are templates that will be registered in an internal namespace
 	// when logging is requested
 	loggingTemplateLocations = map[string]string{
@@ -411,9 +424,7 @@ func (c *ClientStartConfig) Complete(f *osclientcmd.Factory, cmd *cobra.Command)
 	c.addTask(conditionalTask("Importing templates", c.ImportTemplates, c.ShouldInitializeData))
 
 	// Import catalog templates
-	c.addTask(conditionalTask("Importing service catalog templates", c.ImportServiceCatalogTemplates, func() bool {
-		return c.ShouldInstallServiceCatalog && c.ShouldInitializeData()
-	}))
+	c.addTask(conditionalTask("Importing internal catalog templates", c.ImportInternalTemplates, c.ShouldInitializeData))
 
 	// Import logging templates
 	c.addTask(conditionalTask("Importing logging templates", c.ImportLoggingTemplates, func() bool {
@@ -989,11 +1000,24 @@ func (c *ClientStartConfig) ImportTemplates(out io.Writer) error {
 	return nil
 }
 
-// ImportServiceCatalogTemplates imports service catalog templates into the server
-func (c *ClientStartConfig) ImportServiceCatalogTemplates(out io.Writer) error {
-	if err := c.importObjects(out, openshift.OpenshiftInfraNamespace, serviceCatalogTemplateLocations); err != nil {
+// ImportInternalTemplates imports internal system templates into the server
+func (c *ClientStartConfig) ImportInternalTemplates(out io.Writer) error {
+	if err := c.importObjects(out, openshift.OpenshiftInfraNamespace, internalTemplateLocations); err != nil {
+		return err
+	}
+	version, err := c.OpenShiftHelper().ServerVersion()
+	if err != nil {
 		return err
 	}
+	if shouldImportCurrentTemplates(version) {
+		if err := c.importObjects(out, openshift.OpenshiftInfraNamespace, internalCurrentTemplateLocations); err != nil {
+			return err
+		}
+	} else {
+		if err := c.importObjects(out, openshift.OpenshiftInfraNamespace, internalPreviousTemplateLocations); err != nil {
+			return err
+		}
+	}
 	return nil
 }
 
@@ -1009,6 +1033,10 @@ func shouldImportAdminTemplates(v semver.Version) bool {
 	return v.GTE(openshiftVersion36)
 }
 
+func shouldImportCurrentTemplates(v semver.Version) bool {
+	return v.GT(openshiftVersion37)
+}
+
 func useAnsible(v semver.Version) bool {
 	return v.GTE(openshiftVersion36)
 }